Methods, systems and apparatus for monitoring and/or generating communications in a communications network

ABSTRACT

A module for use in a communications network in which a plurality of signals are transmitted between respective first and second nodes, the module having an engine for receiving the plurality of signals over the network, for extracting protocol data therefrom and for providing the extracted protocol data to an analyser; and a processor for controlling operation of the engine and analyser. The invention also provides an apparatus for generating communications, systems including the module and/or the apparatus, and corresponding methods.

FIELD OF THE INVENTION

The present invention relates to methods, apparatus and systems formonitoring and/or generating communications in a communications network.The communications may include wired and/or wireless communicationswhich may be used for the transfer of voice and/or data. Moreparticularly, embodiments of the invention provide for lawfulinterception of communications and/or the collection of informationregarding communications and/or the generation of communications.

BACKGROUND

The Open Systems Interconnection (OSI) reference model provides a set ofprotocols that defines and standardises the data communications processto establish a networking framework which facilitates the exchange ortransfer of information from a first application to a second applicationthrough a network medium, where the first and second applications mayreside or operate in first and second nodes or stations, respectively,typically computing devices. A description of the OSI model in relationto internetworks is provided in “Designing Cisco Networks”, Teare,Diane, Indianapolis: Cisco Press, July 1999, a copy of which may befound on www.cisco.com.

The OSI model provides for implementing protocols in seven layers sothat the transfer of information is broken down into smaller, moremanageable tasks, with each layer being assigned a subset of thesetasks. Each layer is reasonably self-contained so that the tasksassigned to each layer can be implemented independently. The sevenlayers are specified below:

-   -   application (layer 7)    -   presentation (layer 6)    -   session (layer 5)    -   transport (layer 4)    -   network (layer 3)    -   data link (layer 2)    -   physical (layer 1)

The top three layers, known as the application set of layers(application, presentation and session), may be grouped together as theyprovide the application services required for the exchange ofinformation in that they allow two applications to interact with eachother through the services provided by their respective operatingsystems. The bottom four layers or data transport layers (transport,network, data link and physical) may also be grouped together, withthese four layers providing the end-to-end services necessary for dataexchange between two systems using protocols associated with thecommunications network used to link the two nodes together.

Generally, any given layer will communicate with three other layers—thelayers immediately above and below, as well as the peer layer in othernetworked systems. The services provided by adjacent layers help a givenOSI layer communicate with its peer layer, which is important becausethe information exchange process occurs between peer layers.

At the originating system, each OSI layer adds control information tothe data or information to be exchanged, whereas the destination systemanalyses and removes the control information from the data. Thus, theorigination system works from the application layer to the physicallayer, adding control information at each layer, whereas the destinationsystem works from the physical layer to the application layer,extracting control information at each layer so as to arrive at theoriginal data.

The physical layer defines the electrical, mechanical, procedural andfunctional specifications for activating, maintaining and deactivatingthe physical link between communication network systems. It isresponsible for any encoding scheme, defines physical aspects such ascables and cards, provides electrical and mechanical interfaces for anetwork and specifies how signals are to be transmitted on the network.

The data link layer provides for the reliable transit of data across aphysical network link by defining network and protocol characteristics,including physical addressing which enables multiple devices to uniquelyidentify one another at the data link layer. The data link layercontrols frame synchronisation, flow control and error checking.

The network layer defines the network address (as opposed to thephysical address) and provides switching and routing technologies tocreate logical paths for transmitting from node to node. The layer alsocontrols error handling, congestion control and packet sequencing.

The transport layer provides for the transparent transfer of databetween end systems or hosts and is responsible for end-to-end errorrecovery and flow control, thereby ensuring complete data transfer.

The session layer establishes, manages and terminates communicationsessions.

The presentation layer works to transform data into the form that theapplication layer can accept so that the information or data sent fromthe application layer of one system is readable by the application layerof another system. This layer formats and encrypts data to be sentacross a network providing freedom from compatibility problems.

The application layer supports application and end user processes byinteracting with software applications that implement a communicatingcomponent. Functions of this layer include identifying communicationpartners and quality of service, considering user authentication andprivacy, determining resource availability and synchronisingcommunication.

Protocol stacks are particular implementations (usually in software) ofa protocol suite. Protocol stacks are often divided into media,transport and application sections or layers with interfaces, defined bysoftware provided between the media and transport layers and thetransport and application layers. The media/transport interface defineshow protocol software makes use of particular media and hardware types(e.g. card drivers). For example, this interface may define how TCP/IPtransport software talks to Ethernet hardware. The application/transportinterface specifies how application programs make use of the transportlayers. For example, this interface may define how a web browser programtalks to TCP/IP transport software.

Telecommunications service providers have been requested to facilitatethe lawful interception of telephone calls and other transfers ofinformation over their networks so as to enable authorisedorganisations, such as law enforcement agencies, to monitor andintercept communications by individuals under investigation.

US 2004/0165709 A1 describes the interception of calls within a Voiceover Internet Protocol or VoIP network. The VoIP network includes aswitch that offers IP-based telephony services for subscribers over apacket network. Packet interceptors are deployed in the packet networkto non-intrusively monitor the signalling and media packets, whichcomprise a call in a VoIP network. Following receipt of an interceptionrequest, a call monitoring engine notifies the packet interceptors tomonitor for any activity on the VoIP network for a specific telephone.The packet interceptors then isolate and filter packets based onstandard VoIP signalling protocols. In response to commands from thecall monitoring engine, the packet interceptors forward voice packets toa voice packet receiver and assembler, which buffers and re-transmitsthe media stream to a law enforcement agency over a secure channel.

US 2002/0078384 A1 describes an interception method and system for apacket network, such as a GPRS (General Packet Radio Service) or UMTS(Universal Mobile Telecommunications System) network. A first networkelement is provided for intercepting data packets in a packet network.The first network element reads headers of data packets and uses thisinformation to select whether or not to intercept a particular packet.Packets selected for interception are duplicated and sent to aninterception gateway element (as well as the packet network), which inturn forwards the packets to an intercepting authority.

US 2005/0094651 A1 describes a lawful interception gateway whichreceives RTP/IP packets comprising the content of an interceptedcommunication between two or more users of a communication network froma media gateway. When a communication involving a target user isdetected by the media gateway, the media gateway transmits interceptionrelated information and the corresponding communication content to amonitoring facility.

U.S. Pat. No. 5,913,161 describes lawful interception of cellularcommunications. Communications are copied at the interface to a basestation subsystem. Control information is continuously monitored so asto identify target identification numbers of called and calling parties.Upon finding a target number, the copy of the relevant channel isforwarded to a monitoring station.

EP 1 484 892 A2 describes lawful interception of packet switched networkservices. Interception functionality is provided at a switch, which maybe any node in the network where data packets, including packets thatcontain the user ID of a subscriber to the network, can be intercepted.On attempting to log on, the user ID is compared to a list of targetuser IDs and, if there is a match, a copy of the communications isforwarded to a monitoring station.

There remains a need in the art for a system and/or apparatus and/ormethod which enables communications of different types to be monitoredconcurrently, particularly in or approaching real-time.

SUMMARY OF THE INVENTION

It is an object of the invention to provide an improved system and/orapparatus and/or method for intercepting communications in acommunications network.

Alternatively, it is an object of the invention to provide a systemand/or apparatus and/or method for collecting information regarding oneor more communications in a communications network.

Alternatively, it is an object of the invention to provide a systemand/or apparatus and/or method for generating communications in acommunications network.

Alternatively, it is an object of the invention to provide at least auseful choice to the public.

According to a first aspect of the invention, there is provided a modulefor use in a communications network in which a plurality of signals aretransmitted between respective first and second nodes, the modulecomprising an engine for receiving the plurality of signals over thenetwork, for extracting protocol data therefrom and for providing theextracted protocol data to an analyser; and a processor for controllingoperation of the engine and the analyser.

Preferably, the module is adapted to divide signals between a respectivefirst node and second node into a plurality of planes and to separatelyprocess each plane.

Preferably, the module is adapted to divide the signals into threeplanes.

Preferably, a first plane comprises the access side TRANSPORT planewhich carries the user's payload (sms, voice, video, internet data etc)to the carrier's CO exchange for switching and routing over the telco'snetwork. eg: Radio link, phone line, DSL line, PABX trunks Ethernet etc.The module preferably simultaneously processes the transport layer onthe access side of the network for call processing and the network sidefor internal management functions such as redundancy and systemreliability.

Preferably, a second plane comprises call control information and/ornetwork call signalling and may be referred to as the CONTROL plane. Themodule processes the control plane on both the access and core networks,depending on the carrier and the user device.

Preferably, a third plane comprises user plane traffic and may bereferred to as the USER plane. This plane is primarily concerned withuser generated content e.g. voice, data etc, but may contain callcontrol signalling and/or network information generated by userapplications, depending on service protocols. The module preferablyprocesses the user plane on both the access and core networks.

Preferably, the module is configured to process the user and/or networkcontrol signalling and the control information to control processing ofthe user plane traffic.

Preferably, each plane is processed substantially simultaneously.

According to particular embodiments of the invention, the three planesare used to functionally group a particular signal's protocol layers.The planes are then preferably divided into two sections: access andcore. The access section connects the user to the, for example, telconetwork (wireline, local loop, cellular, RAN etc) and the core sectionconsists of the carriers' infrastructure switches. Particular call,session and/or user (including subscriber and/or device) identities maybe generated and/or be simultaneously present in one or more of thethree planes. The units of information processed in a plane may bereferred to as a PDU or Plane Data Unit. Calls received which do nothave the particular identity may be immediately discarded.

The PDU information content of each layer described above is onlyindicative of what would typically be expected and there is a highdegree of overlap particularly between the CONTROL and USER planes,especially in wireless networks.

Preferably, the module engine applies a weight to the PDU to facilitatehigh speed processing efficiency, provide a mechanism for real-timeadaptation of the executing engine code and ensure reliable contentdelivery.

Preferably, on a per call basis, each plane processes and assigns aweighting to the PDU (call component signalling) it receives and/orgenerates in combination with the previous plane weighting (if present)and local system parameters which contribute to system processing. ThePDU weighting reflects the section (access, core), wireless/fixedtechnology, handling complexity, density, payload QoS, system processingintensity etc. For traffic identified and not discarded and/or generatedthe module engine code cycle operation applies a native and very naturallogical centrifugal force to the weighted PDU's. This force aligns thePDU with upper plane particular control processing such as exceptionhandling or delivery routing changes for QoS to external systems.

Thus, embodiments of the invention enable real-time processing ofcommunications by performing initial processing on only a portion of thedata that makes up any given communication, namely user and/or networkcall signalling and/or transport information. More time and/or processorintensive operations may then only be performed for a subset ofcommunications. However, through the use of the protocol information,routing and the control of the state of communications during processingis ensured.

Preferably, the module comprises means for duplicating the plurality ofsignals to form two or more sets of substantially identical signals.

Preferably, the means for duplicating comprises one or more of a tap, amirror or a splitter. Note that the means for duplicating may not beincluded with in the module but as an external component communicativelycoupled thereto.

Preferably, the engine is configured to receive the first set of saidsignals.

Preferably, the module is configured to transparently transport thesecond set of signals such that each signal is conveyed to itsrespective destination node.

Preferably, the engine is adapted to extract protocol data from each ofthe plurality of signals (more particularly, each PDU) and form anengine CDC (Centrifuge Data Control) set or hash set for each saidsignal, each engine data set comprising information regarding userand/or transport and/or network signalling, control information and anyuser plane traffic. The engine may then apply a weight to the PDU, asdescribed hereinabove.

Preferably, the engine is located remote from the analyser and/or theprocessor but communicatively coupled thereto.

Preferably, the analyser is located remote from the processor butcommunicatively coupled thereto.

Alternatively, any two or more of the engine, analyser and processor maybe integrated.

Preferably, the processor is adapted to receive one or more mode signalswhich determine the functional characteristics of the module.

Preferably, the processor is adapted to receive a mode signal from auser entry device.

Preferably, the processor is adapted to relay a first set of controlparameters to the analyser in response to a mode signal.

Preferably, the analyser is adapted to relay a second set of controlparameters to the engine in response to the first set of controlparameters.

Preferably, the processor is adapted to relay a second set of controlparameters to the engine in response to a mode signal.

Preferably, the processor is adapted to relay the second set of controlparameters to the engine via the analyser.

Preferably, the analyser is adapted to modify the second set of controlparameters prior to relaying said parameters to the engine.

Preferably, the analyser is adapted to extract operational parametersfrom a database in response to the first set of control parameters.

Preferably, the engine is adapted to extract operational parameters froma database in response to the second set of control parameters.

According to one embodiment, a mode signal may indicate a lawfulinterception mode of operation with the module being adapted to receivean identifier identifying one or more signals to be intercepted.

Preferably, the analyser is configured to locate the one or more signalsfrom the plurality of signals using the identifier and the extractedprotocol data. More particularly, the analyser may search the extractedprotocol data for instances of the identifier.

Preferably, the identifier comprises a user identifier and/or a userdevice identifier associated with one or more of said signals. Forexample, the identifier may comprise one or more of a telephone number,a unique device or port identifier, a username, a login name, an emailaddress, a URL, a service identifier or a category/type of serviceidentifier. The type of identifier is not important and will depend onthe particular application of the invention. Any identifier may be usedwhich serves to selectively identify the desired subset ofcommunications.

Preferably, the module is adapted to receive the identifier from adatabase. The database may form part of the module.

Identifiers may be received via a user entry device, such as a keyboard.

Preferably, the module comprises a memory for storing at least a portionof the intercepted signal and/or information obtained therefrom.

Preferably, the module comprises a transmitter for transmitting at leasta portion of the intercepted signal and/or information obtainedtherefrom to a remote node, in which case, the module preferablycomprises means for encrypting the at least a portion of the interceptedsignal and/or information obtained therefrom prior to transmission.

Preferably, the remote node is located at or is in the control of a lawenforcement agency.

Preferably, the analyser is adapted to generate an analysis hash set foreach signal to be intercepted, the analysis hash set comprising at leasta portion of the engine hash or data set for the respective signal andcontrol and/or transport information for enabling transfer of theanalysis hash set and/or the associated user traffic to the remote node.

According to one embodiment, a mode signal may indicate an informationgathering mode of operation.

In response to the mode signal, the analyser is preferably configured togather information from at least a portion of the signals, such as forthe purpose of billing users/customers.

It should be noted that the lawful interception mode and the informationmode may operate concurrently and, according to particular embodimentsof the invention, the information gathering may be performed forintercepted communications.

Preferably, the analyser is configured to extract details of theoriginating and/or destination nodes; and/or a duration of thecommunication and/or an amount of data exchanged between the two nodes;and/or a type or category of service information.

Preferably, the analyser is adapted to format the information fortransmission to a billing authority.

The billing authority may be a telecoms operator and/or an internetservice provider.

The analyser is preferably adapted to generate an analysis hash set foreach signal of the at least a portion of the signals, the analysis hashset comprising at least a portion of the engine hash or data set for therespective signal and control and/or transport information for enablingtransfer of the analysis hash set to the billing authority.

Alternatively, the module may be configured to gather information fortesting and/or diagnostic purposes. In this case, the analyser ispreferably configured to derive one or more statistics relating to atleast a portion of the signals.

Preferably, the analyser is adapted to format the information fortransmission to a remote station.

Preferably, the analyser is adapted to generate an analysis hash set foreach signal of the at least a portion of the signals, the analysis hashset comprising at least a portion of the engine hash or data set for therespective signal and control and/or transport information for enablingtransfer of the analysis hash set to the remote station.

Preferably, the remote station is located at or under the control of atelecommunications company and/or an internet service provider and/or anetwork operator.

Again, it should be noted that the module may concurrently operate inmore than one mode. Namely, the lawful interception mode may operate asthe module is performing other data gathering processes.

According to a second aspect, there is provided an apparatus forgenerating communications to be sent to one or more destination nodes ina communications network, the apparatus comprising an enginecommunicatively coupled to an analyser; a processor communicativelycoupled to the engine and the analyser; and a database, wherein theprocessor is configured to transmit control signals to the engine and/orthe analyser, and in response thereto, the engine and the analyser areconfigured to generate and route communications to the destination nodesusing parameters from the database.

Preferably, the engine and the analyser are configured to generateprotocol data for the communications based on the parameters, therebyenabling routing of the communications to their respective destinationnodes.

Preferably, the parameters comprise one or more of a username, an e-mailaddress, a telephone number, a unique device identifier, details of thetransfer media to the respective destination nodes or a type of deviceidentifier.

Preferably, the apparatus comprises a memory for storing user traffic,wherein the apparatus is configured to extract and associate at least aportion of the user traffic to each generated communication.

Preferably, the user traffic comprises voice and/or data traffic.

Preferably, the apparatus comprises means for generating the usertraffic.

Preferably, the analyser is configured to generate an analysis hash setfor each communication in response to the control signals usingparameters extracted from the database.

Preferably, the engine is configured to generate engine hash or datasets in response to the control signals and using the analysis hashsets.

The analysis and engine hash sets contain protocol and control datawhich enable the generated communications to be appropriately routed.

The apparatus of the second aspect may contain the module of the firstaspect, such that the module gathers information regarding the generatedcommunications. Moreover, the elements of the apparatus of the secondaspect may be the same as those of the module of the first aspect suchthat the same elements perform both the data gathering and callgeneration roles. Essentially, the apparatus of the second aspectprovides the reverse functionality of many of the components of thefirst aspect.

The apparatus of the second aspect provides a means for generatingcommunications so as to, for example, test at least portions of acommunications network by providing data on that network. The inventionenables this testing to be based on data that is akin to real datatransferred over a network, but without the risk associated therewith.

According to one embodiment, in the call generation mode, means forrouting the communications from the apparatus of the second aspect areprovided so as to enable the communications to be presented to aparticular network. Such means may include one or more of a tap, mirroror splitter.

According to a third aspect, there is provided a communications systemcomprising the module of the first aspect and/or the apparatus of thesecond aspect.

According to a fourth aspect, there is provided a method for use in acommunications network in which a plurality of signals are transmittedbetween respective first and second nodes, the method comprisingreceiving the plurality of signals over the network at an engine;extracting protocol data from the received signals and providing theextracted protocol data to an analyser; and controlling operation of theengine and analyser using a processor.

Preferably, the method comprises dividing the signals between arespective first node and second node into a plurality of planes andseparately processing each plane. More preferably, the signals aredivided into three planes. Namely, the planes defined in relation to thefirst aspect.

Preferably, the method comprises processing the user and/or networkcontrol signalling and the control information to control processing ofthe user plane traffic.

Preferably, each plane is processed substantially simultaneously.

Thus each signal of the second set of signals may be relayed to itscorresponding destination through the module or apparatus of theinvention in, or substantially in, real-time such that a user at thedestination node is unaware of any delay. This is particularly importantfor lawful interception applications since it is vital that parties tothe communications being monitored are unaware of the interceptions.More generally, though, it avoids inconveniencing users and loss ofconnections.

Preferably, the method comprises duplicating the plurality of signals toform two or more sets of substantially identical signals, wherein afirst set of signals is processed according to the method of the fourthaspect and a second set of signals is transparently transported suchthat each signal is conveyed to its respective destination node.

Preferably, the method comprises extracting protocol data from each ofthe plurality of signals and forming an engine hash set or an engine CDC(Centrifuge Data Control) set for each said signal, each engine hash setcomprising information regarding user and/or transport and/or networksignalling, control information and any user plane traffic.

The method may further comprise adding a weight, as describedhereinabove in relation to the first aspect.

Preferably, the method comprises receiving one or more mode signals.

Preferably, a first set of control parameters is relayed from theprocessor to the analyser in response to a mode signal.

A second set of control parameters may be relayed from the analyser tothe engine in response to the first set of control parameters ordirectly passed from the processor to the engine. Alternatively, thesecond set of control parameters may be relayed from the processor tothe engine via the analyser, in which case, the analyser may modify theparameters prior to relaying them to the engine.

Preferably, operational parameters are extracted from a database inresponse to the first set of control parameters and/or the second set ofcontrol parameters.

According to one embodiment, a mode signal may indicate a lawfulinterception mode of operation and an identifier (or a plurality ofidentifiers) may be received identifying one or more signals to beintercepted.

Preferably, the one or more signals from the plurality of signals arelocated using the identifier and the extracted protocol data.

Preferably, the identifier is received from a database.

The identifier may be received directly from a user entry devicedirectly or via the database.

Preferably, at least a portion of the intercepted signal and/orinformation obtained therefrom is stored and/or transmitted. Preferably,the at least a portion of the intercepted signal and/or informationobtained therefrom is encrypted prior to transmission.

Preferably, the method comprises generating an analysis hash set foreach signal to be intercepted, the analysis hash set comprising at leasta portion of the engine hash or data set for the respective signal andcontrol and/or transport information for enabling transfer of theanalysis hash set and/or the associated user traffic to the remote node.

According to another embodiment, a mode signal may indicate aninformation gathering mode, in which case, the method preferablycomprises gathering information from at least a portion of the signalsin response to the mode signal.

The gathering of information may be for billing purposes, in which case,details of the originating and/or destination nodes; and/or a durationof the communication and/or an amount of data exchanged between the twonodes; and/or a type or category of service information may beextracted. The information may be formatted for transmission andtransmitted to a billing authority. Preferably, an analysis hash set isgenerated for each signal of the at least a portion of the signals, theanalysis hash set comprising at least a portion of the engine hash ordata set for the respective signal and control and/or transportinformation for enabling transfer of the analysis hash set to thebilling authority.

Alternatively, the gathering of information may be for testing and/ordiagnostic purposes, in which case, one or more statistics may bederived which relate to at least a portion of the signals. Theinformation may be formatted for transmission and transmitted to aremote station. Preferably, an analysis hash set is generated for eachsignal of the at least a portion of the signals, the analysis hash setcomprising at least a portion of the engine hash or data set for therespective signal and control and/or transport information for enablingtransfer of the analysis hash set to the remote station.

According to a fifth aspect, there is provided a method of generatingcommunications to be sent to one or more destination nodes in acommunications network, the method comprising transmitting controlsignals from a processor to an engine and/or an analyser, the enginebeing communicatively coupled to the analyser; and in response thereto,generating and routing communications to the destination nodes usingparameters from the database by the engine and the analyser.

Preferably, the generating comprises generating protocol data for thecommunications based on the parameters, thereby enabling routing of thecommunications to their respective destination nodes.

Preferably, stored user traffic is used for the communications, whereinat least a portion of the user traffic is extracted and associated toeach generated communication. Thus, it is possible to test a network orportions of the network to see how they handle real traffic previouslycommunicated on that or another network, and to do so in real-time. Itis therefore a straightforward matter to test the operation of a networkduring its infancy or when modifications are made.

Alternatively, the user traffic may be generated as required, eitherlocally or remotely.

Preferably, an analysis hash set is generated for each communication inresponse to the control signals using parameters extracted from thedatabase.

Preferably, engine hash sets are generated in response to the controlsignals and using the analysis hash sets.

Information regarding communications generated using the method of thefifth aspect may be gathered using the method of the fourth aspect.

Further aspects of the invention, which should be considered in all itsnovel aspects, will become apparent to those skilled in the art uponreading the following description which provides at least one example ofa practical application of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more embodiments of the invention will be described below by wayof example only and without intending to be limiting with reference tothe following drawings, in which:

FIG. 1 is a telecommunications architecture having three planesaccording to an embodiment of the invention;

FIG. 2 a is a schematic representation of a system of an embodiment ofthe invention;

FIG. 2 b is a schematic representation of a system of an embodiment ofthe invention, similar to that of FIG. 2 a but providing additionaldetail;

FIG. 3 is a schematic representation of a first module of the inventionand its interface with a second module;

FIG. 4 is a schematic representation of a second module of the inventionand its interfaces with the first module and a third module;

FIG. 5 is a schematic representation of the third module of theinvention and its interfaces with a second module and end users; and

FIG. 6 is an end-to-end schematic representation of a system accordingto an embodiment of the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

All service providers, including wired and/or wirelesstelecommunications companies (Telcos) and Internet service providers(ISPs), offer their subscribers many individually piped services andapplications. As well as providing for the transfer of voice and/or dataand/or information, authentication, billing and access to third-partyapplication servers must also, for example, be performed. These servicesor applications may be integral to network switching and routingelements but the specific architecture and connecting technologies willdepend on the Telco and the vendor equipment chosen.

Each application or service deployed by a service provider is made up ofmany protocol stacks. Each stack may be described in terms of the OSIreference model described hereinbefore. Between origination anddestination nodes, each layer may be transformed or adapted depending onthe service provider's architecture and the carrier technology deployed.There is a wide range of connecting technologies, interfaces andarchitectures to deliver a service provider's application, some based onstandards and others proprietary to the vendor supplying the equipmentor application involved. Thus, additional layers may be included and/orsome layers of the OSI model may be altered or omitted.

Embodiments of the present invention provide apparatus, systems andmethods that are able to operate in various environments and therebyenable service providers to move towards a more converged view whilstmaintaining and supporting an existing customer base and legacyservices. This is enabled using data obtained from the various OSIlayers or protocol stacks which may be performed for any type ofcommunication, as will become apparent from the description below. Thephysical location of the application of the present invention within acommunications system or network depends on its particular use anddeployment model. According to preferred embodiments, the engine islocated at an access aggregation point on the access side of the corenetwork such that there is access for the apparatus of the invention toall or a desired portion of communications in the network. Embodimentsof the invention do not require changes to any of the hardware modulespresent in existing networks because whilst the module of the presentinvention may be included in an access aggregation point such as aswitch, it is preferably provided upstream or downstream thereof so thatit may receive all or a subset of the communications to and from theswitch but does not require modifications to be made to the switch.Thus, embodiments of the present invention provide an application thatis independent of vendor equipment, functionally holistic in access andcore network switching technologies and capable of transparent,real-time operation.

FIG. 1 shows a telecommunications architecture 1 having three planes 12,13, 14. In each plane 12, 13, 14, the standard OSI reference model mayapply in whole or in part (i.e., all or a subset of the OSI layers maybe used for each plane 12, 13, 14). Planes 12, 13, 14 are configuredsuch that the user/network signalling, control data and user traffic maybe carried over physically separate bearer and/or transporttechnologies. First plane 12 (shown in light blue in FIGS. 1 to 5) isresponsible for user traffic such as voice, data, applications andservices. Second plane 13 (shown in light green in FIGS. 1 to 5) isresponsible for control data. Third plane 14 (shown in light orange inFIGS. 1 to 5) is responsible for transport or user/network signalling.All planes 12, 13, 14 work together simultaneously to enablecommunications to and from a user or subscriber device 15. Typically,each plane interacts with the others and this interaction has manyinterfaces, each with its own particular protocol stacks. Theapplication logic of the present invention maintains state forprocessing between planes, interfaces and protocols.

In preferred embodiments, the invention processes user/network callsignalling and control data, thereby permitting the tracking of,analysis on and potential subsequent action on user plane traffic. Thus,it is possible to focus processing on key portions of communications andto only expend significant processing power and communications bandwidthon user plane traffic when required. The invention finds particularapplication to lawful interception of communications involving anidentifier such as that for a particular user, service or any otheridentifier that may be selected. The identifier may be compared withinformation in the control data plane 13 and/or user/network signallingplane 14, with operations (e.g. routing of the user plane traffic to alaw enforcement agency) only being performed if required. Embodiments ofthe invention may also be used for data extraction purposes byidentifying service users (such as calling and/or called parties in atelecommunications network), details of the communications (e.g. lengthof time for a communication and/or amount of data exchanged) and/ordetails of the type of service. The information obtained may be used forbilling customers as well as in capacity planning and diagnostics.Capacity planning and diagnostics functionality may be provided usingreal communications over the network. However, embodiments of theinvention provide for simulated call generation for this purpose so asto enable more rapid testing of network functionality. The callgeneration and data extraction functionalities are preferably providedin the same module using the same key components. However, the inventionis not limited thereto and separate components may be used in the samemodule or separate modules may be used for each purpose.

The apparatus of the present invention is made up of three basicmodules, an engine, an analyser and a processor, each of which may beimplemented in hardware and/or software. The functions of each moduleare such that they support centralised or distributed processing,wherein the functions may be performed by a single element or split overa plurality of elements. The particular configuration selected is notmaterial to the invention and the skilled man would be readily able toselect a particular configuration depending on performance requirements.It is therefore intended that all such configurations be included withinthe scope of the invention.

Referring again to FIG. 1, to receive a service, subscriber 15 typicallymakes use of the service providers access, core and service applicationsnetworks 17, 18. This involves the use of several elements (shown ascircles in the three layers) with interfaces therebetween. The real-timelogic of the present invention understands the protocols between thevarious elements and extracts information therefrom. This is applied toprocessing for the user or service as required. Connections betweenplane elements are interfaces that consist of various physicalinterfaces and protocol stacks. Thus, the invention provides for amulti-protocol real-time switching and processing application forwireless and fixed access and core technologies. This provides serviceproviders with direct real-time processing of all user activity andapplications present on their network. This processing may be on aparticular subscriber or on a service used by many subscribers.

FIG. 2 a shows a schematic representation of a system 20 according to anembodiment of the invention. As discussed above, the application of theinvention comprises three modules. These are engine module 21, analysismodule 22 and process module 23. The modules work together to providecarriers complete visibility of the user/network signalling and payloadtraffic flowing over their networks. Modules 21, 22 and 23 arecommunicatively coupled to database 24 which holds unique subscriber orapplication service identifiers. The real-time processing of theinvention of access and core network interfaces and protocols allows foran array of user or service specific identifiers, such as telephonenumbers, login names, Internet service provider (ISP) homepages etc.There are no restrictions on the form of the identifiers or the type ofcommunication to which the invention may be applied. The identifiers maydepend on the technology or may be common to the service. Also,embodiments of the invention are able to operate regardless of thevendor equipment deployed by a fixed and/or wireless carrier.

Engine module 21 applies fixed and wireline protocol analysis andcreates hash sets of current subscriber calls application services andtheir particular states along with other information such as statisticsto analysis module 22. Record sets provisioned in database 24 are usedto determine which calls and application services are to be processed.

Similar to engine module 21, analysis module 22 implements fixed andwireless protocol stacks and is fully aware of processes occurring inall seven OSI layers. Analysis module 22 controls the processing logicwithin engine module 21 based on applications loaded in process module23. Unlike engine module 21 which uses the actual signalling provided bythe network, the protocol analysis performed by analysis module 22 workson the hash sets provided by engine module 21 which dramatically speedsup the switching and processing of user payloads. Analysis module 22 andengine module 21 work together providing a high-speed switching lane foruser plane traffic.

Process module 23 provides instructions to analysis module 22 settingthe functional characteristics thereof depending on the particularapplication of the invention. For example, for a capacity planning role(as will be discussed in more detail below), analysis module 22 andengine module 21 only require statistics to be recorded whereas in alawful interception role, multimedia voice and data is switched inreal-time through to the (law enforcement) agencies authorised to makethe interceptions. Process module 23 also provides interfaces to the enduser, carrier NOC (Network Operations Centre) or other control centre,and/or reporting servers, as applicable, whether data, media orreporting is delivered. Process module 23 has an administrationinterface whereby an operator can provision IDs or identifiers, URI's(Uniform Resource Identifier) application services (fixed or cellular)etc they would like to troubleshoot, analyse or receive in real-time.

FIG. 2 b is a schematic representation showing functionality accordingto a preferred embodiment of the invention. The module is preferablyadapted to divide signals between a respective first node and secondnode into a plurality of planes and to separately process each plane.More preferably, signals are divided into three planes: transport,control and user planes.

The access side TRANSPORT plane carries the user's payload (sms, voice,video, internet data etc) to the carrier's CO exchange for switching androuting over the telco's network. eg: Radio link, phone line, DSL line,PABX trunks Ethernet etc. The module preferably simultaneously processesthe transport layer on the access side of the network for callprocessing and the network side for internal management functions suchas redundancy and system reliability.

The CONTROL plane includes call control information and/or network callsignalling. The module processes the control plane on both the accessand core networks, depending on the carrier and the user device.

The USER plane includes user plane traffic. This plane is primarilyconcerned with user generated content e.g. voice, data etc, but maycontain call control signalling and/or network information generated byuser applications, depending on service protocols. The module preferablyprocesses the user plane on both the access and core networks.

The three planes are used to functionally group a particular signal'sprotocol layers. The planes are then preferably divided into twosections: access and core. The access section connects the user to the,for example, telco network (wireline, local loop, cellular, RAN etc) andthe core section consists of the carriers' infrastructure switches.Particular call, session and/or user (including subscriber and/ordevice) identities may be generated and/or be simultaneously present inone or more of the three planes. The units of information processed in aplane may be referred to as a PDU or Plane Data Unit. Calls receivedwhich do not have the particular identity may be immediately discarded.

The PDU information content of each layer described above is onlyindicative of what would typically be expected and there is a highdegree of overlap particularly between the CONTROL and USER planes,especially in wireless networks.

Preferably, the module engine applies a weight to the PDU to facilitatehigh speed processing efficiency, provide a mechanism for real-timeadaptation of the executing engine code and ensure reliable contentdelivery.

Preferably, on a per call basis, each plane processes and assigns aweighting to the PDU (call component signalling) it receives and/orgenerates (depending on the mode of operation) in combination with theprevious plane weighting (if present) and local system parameters whichcontribute to system processing. The PDU weighting reflects the section(access, core), wireless/fixed technology, handling complexity, density,payload QoS, system processing intensity etc. For traffic identified andnot discarded and/or generated the module engine code cycle operationapplies a native and very natural logical centrifugal force to theweighted PDU's. This force aligns the PDU with upper plane particularcontrol processing such as exception handling or delivery routingchanges for QoS to external systems. Details of a preferred weightingscheme are provided in FIG. 2 b. The skilled person will be aware ofother weighting schemes and the invention is not limited to thespecifics of the scheme shown.

The engine may extract protocol data from each signal (moreparticularly, each PDU) and form an engine CDC (Centrifuge Data Control)set or hash set for each said signal, each engine data set comprisinginformation regarding user and/or transport and/or network signalling,control information and any user plane traffic. The engine may thenapply a weight to the PDU, as described hereinabove.

FIG. 3 is a schematic representation of engine module 21 and itsinterface with analysis module 22. Engine module 21 receives signalsover any number of interfaces carrying user and/or network control andsignalling and user traffic. These interfaces may be physical orlogical. For example, they may be VPN (virtual private network) basedwith VPLS (virtual private LAN service) or MPLS (multiprotocol labelswitching) encapsulation. The physical transport to the apparatus of theinvention may use copper-wire and/or optical fibres and may be adaptedto receive and transmit or receive only. All forms of L1 and L2encapsulation are supported. There is no limit to the call processingcapabilities other than the switching and processing limits inherent ofthe platform on which the application of the invention resides. Theengine is designed to process each layer of the particular protocolstack as efficiently as possible through the use of hash sets which areparsed versions of the protocol stacks associated with givencommunications.

Each physical connection contains interfaces having a specificinter-plane connection (see FIG. 1) or several interconnections.Interfaces may carry fixed and/or wireless protocol stacks, where theconnection is specific to a particular fixed or wireless interface. Forexample, the Gn interface (a GPRS interface located between GPRS supportnodes) is a specific UMTS access technology interface as per 3GPP, C7ISUP (ISDN user part—a key protocol in the C7/SS7 signalling system) iscommon to both fixed and wireless access and core technologies. Enginemodule 21 provides the logic to correlate the common and specificinterfaces and protocols and has logic to maintain the state between theinterfaces and their layers such that communications continue to berelayed in a transparent manner.

The invention processes and parses the received fixed and wirelessprotocol stacks (starting at layer 1) in accordance with fixed andwireless protocol signalling standards such as for circuit ITU/ANSI C7ISUP WB and international Q.769 and cell packet technologies ATM, DSLFrame Relay, IP, cellular etc.

Engine module 21 constructs hash sets (preferably one to two bytes inlength but may be up to four bytes) for maintaining protocol and callstate information. The hash sets are read and written to via bitwiselogic operations and are produced on a per subscriber basis but may beconsolidated based on application service, access technology, carriertechnology etc. The relevant call signalling is extracted and maintainedby way of the hash sets for the purpose of keeping state for subsequentlogic. The length of the hash sets depends on the particular layer,interface and plane over which the signalling is occurring.

Engine hash sets are produced as a result of protocol analysis whichrequires particulars of the subscriber or service of interest. Theseparticulars are provided in database 24 and can be changed at anytimeduring operation of the invention. The records stored in database 24 areof a nature that provides unique call/service identifiers which aregroomed and applied to the protocol stacks relevant to the traffic onthe inbound interfaces.

Engine module 21 provides common protocol stack switching wherebycertain protocol layers are common to many stacks. For example, the HTTPprotocol may be accessed via wireless (PDA) or fixed (broadband)networks and there is no need to duplicate this layer. Every layer iscarefully maintained for state information and system maintenancepurposes and to overcome access and transport connectivity issues suchas packet loss and congestion which cause problems in terms of dormantsessions and memory loss.

The unique hash sets provide details on the current call state byconsolidating details for each relevant interface participating in aparticular call or calls, taking account of network congestion andretransmission algorithms and strategies, which is critical particularlyfor traffic inbound over lossy wireless access networks.

What information engine module 21 extracts depends on the technologyemployed at the particular layer. For example, fixed voice may becarried over different protocols (from layer 1 through to layer 6), butlayer 7 is still voice (layer 1 could be an E1 or Ethernet)—it dependson the carrier infrastructure. It becomes more complex when wireless(GSM/UMTS (3GPP) vrs CDMA/EVDO (3GPP2)) functionality is added. Enginemodule 21 understands this variation on a per layer basis and tracks thechanges in protocols (layer 1 through to layer 7). As a result of thisvariation the input to the hash sets may vary from protocol to protocoland could be atm/vpn identifiers through to session/sequence numbers andcryptographic hashes, basic information specific to theowner/generator/terminator of the communications stream, or simply datathat helps in the reassembly of a fragmented traffic stream. The lengthof the hash sets may vary depending on what is being hashed and theycontain bits to identify the protocol owner and stream information toaid in the multiplexing of real-time QoS (Quality of Service) awaretraffic.

FIG. 4 is a schematic representation of analysis module 22 and itsinterfaces with engine module 21 and process module 23. Analysis module22 controls the processing performed by engine module 21 in accordancewith the service instructions received from process module 23. Theinstructions it receives depends on the particular application of theinvention being performed on the selected call or service. Call andservice specific details are read from database 24. Analysis module 23provides information to process module 23, such as call service tracedata and call statistics, as well as providing health of system and/ordiagnostic data for system logs, alarming and maintenance purposes.

Analysis module 22 implements feed-forward towards process module 24 andfeed-back towards engine module 21 with the particular information beingpassed depending on the particular application of the invention.Critical details required to support the particular application areprovided in a memory such as database 24.

Call states are maintained through analysis hash sets which are based onthe engine hash sets (i.e., the hash sets generated by engine module 21)and the instructions received from process module 23. Thus, the analysishash sets may contain data from the engine hash sets as well as, forexample, routing and control information to enable the desired functionto be performed (e.g. the correct routing of data to a law enforcementagency when operating in the lawful interception mode or the forwardingof data to a local or remote memory when operating in a diagnosticmode).

Thus, analysis module 22 simply controls what engine module 21 islooking for in terms of relevant identifiers (whether these identifiersbe for lawful interception, billing or other information gathering orcall generation). This aids in the real-time multiplexing of mediaaudio/video or any QoS aware traffic and the generation of theappropriate data, which again depends on carrier infrastructure andtechnologies.

FIG. 5 is a schematic representation of process module 23 and itsinterfaces with analysis module 22 and example end users. Process module23 provides top level control for the invention in that it adapts andcontrols the behaviour of engine and analysis modules 21 and 22depending on the particular application, such as traffic analysis, realtime billing, lawful interception etc. Each specific applicationrequires data configuration and details which are provided by database24 which is preferably readable by all three modules 21, 22 and 23.

Process module 23 sends instructions to analysis module 22 for tuningand tailoring the protocol analysis stack function. As a result,analysis module 22 may similarly tune and tailor the function of enginemodule 21. The instructions are on a per call or service basis and donot apply in a global sense, thereby allowing the invention to performmultiple roles simultaneously without interference. For example,communications may be generated in a generation mode and substantiallysimultaneously recorded for statistical purposes in a capacity planningrole.

Through use of the protocol hash sets generated by engine and analysismodules 21 and 22, the invention supports real time processing ofvarious communications including standard PSTN voice traffic, softswitch based voice over IP technology and peer to peer technologies suchas Skype and the like. An embodiment of the system showing suchcapabilities is provided in FIG. 6. Note that the skilled man would beaware of alternative/additional technologies and/or transport mediawhich may be included (other than those specifically shown in FIG. 6)and it is intended that all such alternatives/additions be includedwithin the scope of the invention.

FIG. 6 shows example system 60 including some of the inventive aspectsof the invention, in particular, those relating to lawful interceptionof communications. Access network 61, wireless network 62 and fixednetwork 63 enable elements within system 60 to communicate with oneanother, as would be apparent to one of skill in the art. Othertransmission media, including via satellites, are also within the scopeof the invention. Module 64 of the invention receives allcommunications, or at least a copy thereof, being transferred across thenetwork (note that reference “BXP” in FIG. 6 is used to highlight thekey components of the invention). Relevant communications areintercepted and sent over, for example, virtual private network (VPN) 65to a remote server 66. User interface 67 is provided to enable theresults to be monitored and also to enable the provision of identifiersinto the system so that particular communications may be targeted forinterception. Note that server 66 and monitor 67 may be directly coupledto or integral to module 64.

An embodiment of the method of the invention will now be described withreference to FIG. 2 a. At step 0, the identifiers are loaded fromdatabase 24 and at step 1, protocol analysis is performed by engine 21on incoming traffic to determine call technology and state. Hash setsare created for each communication and sent to analysis module 22. Atstep 2, analysis module 22 performs particular functions on the enginehash sets depending on instructions received from process module 23 andidentifiers received from database 24. Based on call state data receivedfrom analysis module 22 and the particular role or application thesystem or method of the invention is selected to perform, furtherinstructions are sent to analysis module 22 for execution at step 3.Analysis hash sets are created as a result of this processing. Theanalysis hash sets may be generated for all or a subset of thecommunications depending on the mode of operation of the invention. Forexample, in the lawful interception mode, analysis module 22 mayidentify relevant communications and only generate analysis hash setsfor the identified communications. At step 4, analysis module 22 carriesout any instructions received from process module 23. For example, theinstructions may be to connect a high-speed switching socket for mediarelay or to save signalling and call statistics to a memory and/or adisplay (not shown). These instructions will depend on the particularrole selected to be performed. The hash sets are modified to reflectthese instructions.

Analysis module 22 may receive instructions to prioritise certain callsand/or services over others at step 5. Additionally, feedback isprovided to engine 21 so that it works with maximum efficiency, such asby deploying ICMP (Internet Control Message Protocol) or ARP (AddressResolution Protocol) filters. At step 6, engine 21 applies protocolanalysis for all OSI layers for every frame or cell. Certain protocolsmay be filtered for explicitly for either processing or to be dropped.Tuning instructions for engine 21 are provided by analysis module 22.The instructions received by engine 21 at step 7 may be to connect ahigh speed media lane to process module 23, in which case, theconnections are made and user plane traffic is relayed through to itsdestination. The high speed media switching lane requires the use ofboth the engine and analysis hash sets to ensure that state ismaintained for the communications and that they are correctly routed.

On receiving data reports, media etc at step 8 from engine 21 andanalysis module 22, process module 23 cuts, for example, ASN.1 (AbstractSyntax Notation One) records with details regarding the call orapplication service for formal reporting into the business. ASN.1 is aformal notation used for describing data transmitted bytelecommunications protocols, regardless of language implementation andphysical representation of the data, whatever the application, whethercomplex or simple. It is a language for abstractly describing messagesto be exchanged among an extensive range of applications involving theInternet, intelligent network, cellular phones, ground-to-aircommunications, electronic commerce, secure electronic services,interactive television, intelligent transportation systems, Voice OverIP and others. Analysis module 22 ensures that content reporting,multimedia, rtp, statistics etc are delivered to the provisionedend-point destinations. Receipt of all transactions and communicationsis preferably confirmed using protocols known to those of skill in theart.

Embodiments of the invention do not replace deployed network elements orsystems but instead compliment existing systems by performing analysisand relay of traffic transparently (to the originating and destinationnodes) and in real time. Thus, no requirements are imposed on theexisting infrastructure allowing for deployment of the invention inexisting systems.

Embodiments of the invention may not only be used for monitoringcommunications. Additionally or alternatively, embodiments of theinvention may be used to generate communications. These embodiments areof particular value when combined with the monitoring systems describedhereinbefore because this enables a service provider to quickly andeasily test the capabilities of their systems under any desiredconditions. Thus, embodiments of the invention may be used to rapidlytest new components deployed in a communications network, therebyallowing them to become operational and an active part of the networkmore quickly but avoiding loss of any actual user traffic.

According to the communications generation aspects of the invention, theengine, analyser and processor work together to generate thecommunications. The processor provides control signals to the engineand/or the analyser, and in response thereto, the engine and theanalyser generate and route communications to the desired destinationnodes using parameters from a database, such as database 24 in FIG. 2 a.More particularly, the engine and the analyser generate protocol datafor the communications based on the parameters which may include one ormore of a username, an e-mail address, a telephone number, a uniquedevice identifier or a type of device identifier. The parameters mayalso include particulars of the transmission medium. Thus, protocolstacks may be generated which enable transmission of the communications.These stacks may be formed by the analyser generating an analysis hashset for each communication in response to the control signals usingparameters extracted from the database and the engine generatingrespective engine hash sets in response to the control signals and usingthe analysis hash sets, and possibly additional parameters retrievedfrom the database. A memory, such as database 24 of FIG. 2 a, may storesample user traffic which is appended to the communications. The usertraffic may include voice and/or data traffic, applications or services.According to one embodiment, means are provided for generating the usertraffic. The means for generating may be adapted to generate traffic inaccordance with parameters previously monitored for the network or asimilar network using the monitoring apparatus of the invention. Randomgenerators may be used to mimic variations which are likely to occurwithin the network. Thus, it is possible to generate traffic which issimilar to that which may actually be communicated over the network.

Thus, one or a plurality of communications streams may be set up betweentwo or more real devices. Protocol layers (i.e., header/tail) aregenerated on a per call basis for the desired number of calls andtechnology (e.g. fixed/wireless, VoIP, SMS, PTT, voice, etc) and thepayloads of the calls are multiplexed through to the destination system.Appropriate statistics and diagnostics can be performed in real-time orcan be recorded for offline analysis of the carrier infrastructure andsubsystems (e.g. transmission, billing, IN, etc).

Applications of the invention include:

-   -   real time ISP/telco applications or services troubleshooting on        a per call or per service basis;    -   real time call traffic generation of user/network signalling and        user traffic for the purpose of loading network/service        elements—circuit and packet, fixed and cellular communications        are supported;    -   real time billing record generation on a per call or per service        basis;    -   real time viewing of network statistics; and    -   lawful interception in real time.

The invention is not limited to these applications and the skilled manmay be aware of others. It is intended that all such applications beincluded within the scope of the invention whether they include theextraction of data regarding communications and/or the generation ofcommunications in a communications network.

Unlike many previous arrangements, such as that described in US2004/0165709, embodiments of the present invention are not limited toone particular type of communication over one particular portion of anetwork. For example, US 2004/0165709 is limited to a Telco's core IPnetwork, with the interceptor limited to VoIP communications.Embodiments of the invention may process all types of communications onboth the access and core networks, thereby guaranteeing interception ofany target. The novel approach described herein enables this to berealised despite the potentially huge volumes of data being transportedaround a network and without causing delays in the transmission oftraffic or storing data which is not being legitimately targeted.

Furthermore, contrary to prior approaches, embodiments of the inventionprovide for operation at layer 7, thereby enabling various components ofthe system to reliably communicate with one another. An additionaladvantage is that, for example, geographical redundancy may be provided,such as for a telephone number, since embodiments of the inventionenable geographical restraints to be removed.

Various changes and modifications to the presently preferred embodimentsdescribed herein will be apparent to those skilled in the art. Suchchanges and modifications may be made without departing from the spiritand scope of the present invention and without diminishing its attendantadvantages. It is therefore, intended that such changes andmodifications be included within the present invention.

1. A module for use in a communications network in which a plurality ofsignals are transmitted between respective first and second nodes, themodule comprising: an engine for receiving the plurality of signals overthe network, for extracting protocol data therefrom and for providingthe extracted protocol data to an analyser; and a processor forcontrolling operation of the engine and analyser.
 2. The module of claim1, adapted to divide signals between a respective first node and secondnode into a plurality of planes and to separately process each plane. 3.The module of claim 2, wherein the module is adapted to divide thesignals into three planes.
 4. The module of claim 3, wherein a firstplane comprises the access side transport plane which carries a user'spayload, and/or a second plane comprises control information and/ornetwork call signalling, and/or a third plane comprises user planetraffic. 5-6. (canceled)
 7. The module of claim 4, wherein the module isconfigured to process the user and/or network control signalling and thecontrol information to control processing of the user plane traffic. 8.The module of claim 2, wherein each plane is processed substantiallysimultaneously.
 9. The module of claim 1, further comprising means forduplicating said plurality of signals to form two sets of substantiallyidentical signals.
 10. (canceled)
 11. The module of claim 9, wherein theengine is configured to receive the first set of said signals and/ortransparently transport the second set of signals such that each signalof the second set is conveyed to its respective destination node. 12.(canceled)
 13. The module of claim 1, wherein the engine is adapted toextract protocol data from each of the plurality of signals and to forman engine hash set for each said signal, each engine hash set comprisinginformation regarding user and/or transport and/or network signalling,control information and any user plane traffic. 14-15. (canceled) 16.The module of claim 1 or 9, wherein the processor is adapted to receiveone or more mode signals which determine the functional characteristicsof the module.
 17. The module of claim 16, wherein the processor isadapted to receive a mode signal from a user entry device.
 18. Themodule of claim 16, wherein the processor is adapted to relay a firstset of control parameters to the analyser in response to a mode signal.19. The module of claim 18, wherein the analyser is adapted to relay asecond set of control parameters to the engine in response to the firstset of control parameters.
 20. The module of claim 16, wherein theprocessor is adapted to relay a second set of control parameters to theengine in response to a mode signal.
 21. The module of claim 20, whereinthe processor is adapted to relay the second set of control parametersto the engine via the analyser.
 22. The module of claim 21, wherein theanalyser is adapted to modify the second set of control parameters priorto relaying said parameters to the engine.
 23. The module of claim 18,wherein the analyser is adapted to extract operational parameters from adatabase in response to the first set of control parameters.
 24. Themodule of claim 19, wherein the engine is adapted to extract operationalparameters from a database in response to the second set of controlparameters.
 25. The module of claim 16, wherein: a mode signal indicatesa lawful interception mode of operation; and said module is adapted toreceive an identifier identifying one or more signals to be intercepted.26. The module of claim 25, wherein the analyser is configured to locatesaid one or more signals from the plurality of signals using theidentifier and the extracted protocol data.
 27. The module of claim 25,wherein the identifier comprises any one or more of a user identifierand/or a user device identifier associated with one or more of saidsignals, a telephone number, unique device or port identifier, username,login name, email address or a URL, a service identifier, or a categoryof service identifier. 28-30. (canceled)
 31. The module of claim 25,adapted to receive the identifier from a database communicativelycoupled or integral thereto or from a user entry device. 32-33.(canceled)
 34. The module of claim 25, further comprising a memory forstoring at least a portion of the intercepted signal and/or informationobtained therefrom and/or a transmitter for transmitting at least aportion of the intercepted signal and/or information obtained therefromto a remote node. 35-37. (canceled)
 38. The module of claim 25 whendependent on claim 13, wherein the analyser is adapted to generate ananalysis hash set for each signal to be intercepted, the analysis hashset comprising at least a portion of the engine hash set for therespective signal and control and/or transport information for enablingtransfer of the analysis hash set and/or the associated user traffic tothe remote node.
 39. The module of claim 16, wherein a mode signalindicates an information gathering mode of operation and in response tothe mode signal, the analyser is configured to gather information fromat least a portion of the signals. 40-41. (canceled)
 42. The module ofclaim 39, wherein the analyser is configured to extract details of theoriginating and/or destination nodes; and/or a duration of thecommunication and/or an amount of data exchanged between the two nodes;and/or a type or category of service information.
 43. The module ofclaim 42, wherein the analyser is adapted to format the information fortransmission to a billing authority.
 44. (canceled)
 45. The module ofclaim 43 when dependent on claim 13, wherein the analyser is adapted togenerate an analysis hash set for each signal of the at least a portionof the signals, the analysis hash set comprising at least a portion ofthe engine hash set for the respective signal and control and/ortransport information for enabling transfer of the analysis hash set tothe billing authority.
 46. The module of claim 39, wherein the module isconfigured to gather information for testing and/or diagnostic purposes.47. The module of claim 39, wherein the analyser is configured to deriveone or more statistics relating to at least a portion of the signals.48. (canceled)
 49. The module of claim 46 when dependent on claim 13,wherein the analyser is adapted to generate an analysis hash set foreach signal of the at least a portion of the signals, the analysis hashset comprising at least a portion of the engine hash set for therespective signal and control and/or transport information for enablingtransfer of the analysis hash set to a remote station. 50-60. (canceled)61. A method for use in a communications network in which a plurality ofsignals are transmitted between respective first and second nodes, themethod comprising: receiving the plurality of signals over the networkat an engine; extracting protocol data from the received signals andproviding the extracted protocol data to an analyser; and controllingoperation of the engine and analyser using a processor.
 62. The methodof claim 61, further comprising dividing the signals between arespective first node and second node into a plurality of planes andseparately processing each plane.
 63. The method of claim 62, furthercomprising dividing the signals into three planes, a first planecomprising transport information, a second plane comprising controlinformation and a third plane comprising user plane traffic. 64-69.(canceled)
 70. The method of claim 61, comprising extracting protocoldata by the engine from each of the plurality of signals and forming anengine hash set for each said signal, each engine hash set comprisinginformation regarding user and/or transport and/or network signalling,control information and any user plane traffic.
 71. The method of claim61, further comprising receiving one or more mode signals at theprocessor. 72-78. (canceled)
 79. The method of claim 71, wherein a modesignal indicates a lawful interception mode of operation, said methodfurther comprising receiving an identifier identifying one or moresignals to be intercepted and the one or more signals from the pluralityof signals using the identifier and the extracted protocol data. 80-86.(canceled)
 87. The method of claim 71, wherein a mode signal indicatesan information gathering mode of operation and the method furthercomprising gathering information from at least a portion of the signalsby the analyser in response to the mode signal. 88-103. (canceled)